The Complete Guide to MiCA Licensing for Crypto Companies in Europe

Europe has moved from fragmented national crypto regimes to a single, enforceable regulatory framework with real consequences for firms that are unprepared. MiCA changes how crypto businesses structure themselves, where they operate, and how they engage with regulators, banks, and customers.

This article serves as a practical deep dive into what MiCA means in practice, how the authorisation process works, and why early, well-structured compliance has become a strategic advantage rather than a regulatory afterthought.

The MiCA license is mandatory for crypto companies in Europe today as the Markets in Crypto-Assets (MiCA) Regulation supersedes national crypto licensing regimes with a single European-wide regulatory framework. Crypto firms can now secure a single license with passporting rights across all 27 EU member states, avoiding the need to secure a national license in each jurisdiction.

Without MiCA permission, crypto asset service providers will be barred from operations, banking facilities, and access to the European market. Sofian, who is the CEO of NextPay, sees the regulatory update as resulting in "a bit of a cleansing in the market" with only properly licensed participants succeeding. The advantages of early MiCA licensing include improved trust from institutional partners, access to a regulated banking environment, and the ability to build an enterprise that works across all European markets.

The MiCA license is the regulatory approval granted under the Markets in Crypto-Assets (MiCA) Regulation, which is the European Union’s primary legislative framework for regulating crypto-assets and their issuers and service providers. The regulation protects consumers and investors, ensures market integrity and financial stability, and promotes innovation within regulatory boundaries.

Once authorised in one member state of the EU, firms can passport their license throughout the whole of the European Economic Area without requiring repeat licensing from each state. This prevents regulatory arbitrage and reduces compliance costs for firms wishing to operate across Europe.

Difference between MiCA regulation and MiCA authorisation

MiCA regulation refers to the legal framework. MiCA authorisation refers to the license firms receive when they comply with the regulation.

MiCA regulation is the body of rules, requirements, and standards that are established by EU legislation as a framework to be followed by all relevant organisations and firms. MiCA authorisation is the license granted by a national competent authority (NCA) to a crypto firm that has applied for permission to operate under MiCA regulation. All firms that fall under the jurisdiction of MiCA regulation are required to go through a process of MiCA authorisation in order to be granted permission to offer services to customers within the EU.

Who needs a MIca license in Europe today depends on what services they offer or issue, and who their customers are. The regulation divides those who operate in or who wish to enter crypto markets into separate categories that have differing requirements.

Crypto-Asset Service Providers (CASPs)

Crypto-Asset Service Providers (CASPs) are entities like cryptocurrency exchanges or trading platforms that provide services related to trading crypto-assets. Firms that issue or provide such services that hold or administer crypto-assets on behalf of their customers need to secure permission through CASP Licensing.

Token issuers (utility tokens, asset-referenced tokens, e-money tokens)

Asset-referenced tokens (ARTs) are tokens that create stablecoins backed by multiple crypto-assets. ART issuers are required to obtain specific permission to provide these tokens, but they will have to meet rigorous capital reserve and reserve management requirements as well as governance obligations. E-money tokens (EMTs) are different in that they have to be issued by firms that receive permission from a national competent authority prior to issuance. They will also have to meet prudential regulations that apply to credit institutions. Utility tokens are lightly regulated, but even small issues will still require compliance with white paper and publication regulations, as well as limits on marketing activity.

Non-EU crypto companies targeting EU customers

Non-EU crypto companies that provide services or offer products to EU customers will also need to obtain a MiCA license. Companies that act in offshore exchanges that market their services to EU residents, offshore wallets that accept European customers, or even non-EU issuers that publicly issue tokens on European markets will all need permission under MiCA regulations.

In all these cases, these non-EU companies will have to establish a legal presence within the EU and have to go through an MiCA authorisation process with an EU member state’s NCA.

Activities that trigger MiCA licensing obligations

It is not who you are that requires you to obtain a MiCa license; it is what you do. The obligations for obtaining a license will arise out of professional crypto activities. Some of the relevant activities include:

The MiCA regulation applies to all 27 EU member states, and EEA states that adopt MiCA and permit passporting across jurisdictions so that firms licensed in one jurisdiction can provide services across the entire European market.

The MiCA regulation applies only to crypto-assets that are not already covered by other EU financial services regulations, such as:

The types of crypto-asset services that are covered by MiCA regulation include:

Activities or assets that are not covered by MiCA regulation include protocols based on genuinely decentralised finance (DeFi) that have no identifiable service provider or intermediary, as well as tokens referred to as non-fungible tokens (NFTs), which represent a unique digital or physical commodity rather than an investment opportunity. Assets that are already covered by existing financial regulation, such as tokens that qualify as securities under MIID II, are also excluded from coverage by MiCA.

The MiCA regulation will, however, give the European Commission the power to extend MiCA coverage to NFTs if they show the characteristics of crypto-assets that are subject to regulation, or if they are fractionalized for purposes of investment.

Centralised exchanges, custodians and providers of other crypto services will be subject to extensive MiCA compliance obligations, including authorisation, ongoing regulation and compliance with compliance standards. Web3 projects will need to carefully structure their protocols to remain genuinely decentralised; however, the introduction of any points of control, intermediaries or identifiable service providers will trigger MIca obligations.

EU legal entity and substance requirements

The first category requires the firm that is subject to MiCA regulation to establish a legal entity that operates within the EU and that has substance. Mailbox companies or shell operations that do not engage in active operations will be unacceptable. Companies will be expected to prove that they have a genuine presence in the EU, and the establishments will, for example, need to have office space, staff operating in the EU, and decision-making capabilities located in the EU.

While a company based outside the EU can establish an entity outside the EU, the offspring of such an establishment will need to be operational. It will need to have sufficient resources to operate its regulated activities on its own.

Minimum capital and prudential safeguards

Minimum capital and prudential requirements vary according to the type of activities and the profile of the risks involved:

In addition to having initial capital, there are ongoing prudential requirements relating to the amount of own funds in relation to the operational risk of the firm, the segregation of client assets, and insurance or comparable guarantees for custody service as well as recovery plans, where applicable.

Governance and management fitness and propriety standards

Management bodies should collectively have the knowledge, skills and experience necessary to understand the firm’s business activities and risk profile in relation to crypto-assets. Each individual must demonstrate fitness and propriety with relevant qualifications, experience in the financial services or technology industry, and no history of criminal offences or regulatory sanctions.

As Sofian said in relation to NextPay’s licensing experience:

“You have to think about how to document potential conflict of interest.”

This reflects a significant cultural change for many crypto start-ups. Firms are expected to implement formal policies on conflicts of interest, related party transactions and oversight of outsourced functions.

Internal controls, risk management and compliance functions

Firms have to have independent compliance functions responsible for monitoring compliance with rules, as well as risk management processes that identify and mitigate operational, market and liquidity risks. Firms will also need internal audit functions to assess how effective the firms’ controls are.

In addition to this, CASPs must have documented policies and procedures for all of their activities, maintain complete records of all transactions, and implement systems intended to detect market abuse.

Consumer protection, transparency and disclosure obligations

Service providers must publish clear and comprehensive information on the services they provide, their fees, the risks associated with the services it provides and the process for making complaints. Token issuers must publish detailed white papers disclosing information about the project, its technical specifications, the rights associated with the tokens, and risk factors. Statements that are misleading in a material respect may incur criminal liability.

Marketing communications must also be fair, clear and not misleading, with appropriate risk warnings. CASPs must implement policies in relation to conflicts of interest. Firms must provide clients with clear information on costs for services provided by CASPs, and firms must have robust systems in place for dealing with complaints.

The eligibility criteria for CASP authorisation under MiCA relate to establishment, personnel, documentation, technical infrastructure, financial resources, and operational readiness to interact with regulators. An applicant must satisfy all of these criteria in order to apply.

EU establishment and operational substance

The applicant must establish a legal person in an EU member state and demonstrate genuine operational substance in that jurisdiction. This requires maintaining a physical office, employing staff locally, and conducting core business activities from that location rather than merely operating a nominal presence.

Key indicators of sufficient establishment include:

Regulators assess these factors holistically to determine whether the firm operates “substantively” from within the EU.

Qualified directors, senior management, and compliance officers

The firm must employ individuals with appropriate qualifications and experience to perform key governance and control functions. This includes managing directors with strategic responsibility, risk managers with a clear understanding of the firm’s business risks, compliance officers familiar with applicable laws and internal policies, and money laundering reporting officers with expertise in AML and CFT requirements.

Regulators typically assess the fitness and propriety of these individuals through professional references, background checks, and interviews as part of the authorisation process.

Documented policies and procedures (compliance, risk, AML)

The firm is required to formally document its internal policies and procedures across all core control areas. These include compliance with applicable laws, risk management processes, anti-money laundering and counter-terrorist financing measures, business continuity arrangements, and the governance of outsourced activities.

This documentation obligation often represents a significant shift for early-stage crypto firms. As Sofian notes:

“This documentation burden is a big jump—from just dealing with your business, you have to think about how to document potential conflict of interest.”

IT security, custody safeguards, and operational resilience

The firm’s IT infrastructure must meet extensive regulatory expectations, many of which align with the Digital Operational Resilience Act (DORA). These requirements address cybersecurity resilience, the safeguarding of clients’ crypto assets, information security, and the firm’s ability to withstand and recover from operational disruptions or crises.

Overall, regulators expect firms to demonstrate that their systems and controls are designed to address a rapidly evolving threat landscape, rather than relying on minimal or legacy security measures.

Financial resources and capital readiness

Applicants must demonstrate that they have sufficient financial resources and are prepared to operate under regulatory oversight. This is typically evidenced through a credible business plan setting out projected revenues and costs, viability or stress testing to show the firm can meet its obligations under adverse conditions, and proof that adequate resources are available to cover potential losses incurred on behalf of third parties.

In addition, regulators expect firms to show that their funds and resources are genuinely “at risk,” meaning they are exposed to potential loss in the course of conducting the business.

Regulator-ready documentation and reporting structures

The firm must be able to submit a comprehensive and regulator-ready documentation package. This includes a clear description of the firm and its activities, an organisational chart setting out governance and reporting lines, documented policies and procedures, financial statements and projections, relevant legal opinions, and detailed information about the IT systems supporting the business.

The MiCA licensing application entails a stepwise sequence of actions from jurisdiction selection through the authorisation and EU passporting stages. Each ‘step’ outlined below describes an individual firm-level task.

Step 1: Select the EU member state regulator

Firms interested in applying must select an EU member state jurisdiction to which to apply, assessing jurisdictional differences in crypto-sector expertise, expected turnaround times, oversight approaches, bank relationship-building expectations, tax, and corporate law considerations.

Step 2: Get ready; conduct a MiCA ‘gap’ analysis

The firm should assess its current operations against MiCA requirements, determine what changes will be needed to operations, policies, and systems, engage knowledgeable advisors, open lines of communications with regulators early (without committing to an application), and ensure that its governance and compliance program will meet regulatory expectations.

Step 3: Prepare the application and submit it

Prepare the application submission package, including business plan(s), ownership structure and governance details, information about the fitness of management team members, compliance approach and policies, financial data, technical specifications for IT and security, and legal opinions.

Step 4: Respond to review and remediation

Respond to questions and data requests that follow both the completeness review and substantive approval processes, participate in management interviews with supervisory authority personnel, and remediate any shortcomings that may result from multiple rounds of review.

Step 5: Receive authorisation and complete passporting

After receiving authorisation, finalise all national and EU registrations and notify relevant authorities of the intention to passport services into other member states and commence operations under the MiCA regime.

MiCA license applications take between six months and two years to approve. Approval timelines depend on the quality of the application documents, the complexity of the business model, and the availability of resources within the relevant supervisory authority.

Although the formal timeline for review is often described as being within a three-to-six-month time frame, in practice, approval timelines are more likely to be lengthened by deficiencies in application forms, information requests to firms that require time to address, and resource scarcities in supervisory authorities.

Firms that submit well-prepared applications to authorities that have already developed robust measures for supervising crypto-related operations may have their applications approved within a six- to nine-month period. Business models that are complex or crypto-sector-specific, incomplete applications, and authorities that do not have sufficient resource availability can also delay approvals for twelve to eighteen months or longer. As this is the first time many of these supervisory authorities have had to process these types of applications, initial approval rounds are likely to be lengthy while best practices in supervision stabilise.

The factors that might speed up MiCA authorisation include the following: quality of the application; employing advisory team members who are knowledgeable about the regulation; maintaining open communications with the supervisors; timely responses to requests for additional information; strong governance structures and compliance programs; and selecting jurisdictions whose competent authorities have adequate resources to handle these applications.

The costs of MiCA licensing for crypto firms comprise regulatory fees, capital requirements, professional fees, and ongoing operational costs.

Application fees that competent authorities charge vary between €5,000 and €25,000 based on the complexity of the application. Firms also pay ongoing supervisory fees that depend on the size of its business, the categories of services, and the levels of regulatory burden. Fees range from a few thousand euros for small-scale operators to six-figure sums for exchanges and systemically important issuers.

Based on NextPay’s experience, Sofian notes that EMI licenses—which share structural similarities with CASP requirements—carry substantial capital obligations. Under MiCA, CASP minimum capital requirements range from €50,000 to €150,000, depending on the services provided. Asset-referenced token issuers face significantly higher thresholds, potentially reaching millions of euros based on reserve asset calculations. These funds must remain available to absorb losses and cannot be used for day-to-day business operations.

Professional fees are a large component of licensing costs. These fees include:

Licensing costs under MiCA are expected to be in the same range. Application preparation and professional fees alone usually cost firms between €200,000 and €500,000.

Besides these one-off costs, there are also recurring costs that firms face annually. These include:

Annual compliance costs for firms that obtain licenses under MiCA will typically range from around €100,000 for small firms to several million euros for large platforms.

Crypto start-ups most commonly fail MiCA compliance tests due to weaknesses in corporate governance, deficiencies in anti-money laundering (AML) and counter-terrorist financing (CFT) frameworks, insufficient documentation, underestimation of required resources, and business models that present excessive risks.

Weaknesses in corporate governance are a leading reason for refusal. Common issues include informal decision-making structures, unclear lines of authority, and management teams lacking financial services experience. Applications fail where firms cannot demonstrate adequate governance arrangements, independent control functions, or compliance with fitness and propriety requirements.

Another frequent cause of refusal is failure to demonstrate compliance with EU AML / know your customer (KYC) obligations. Typical weaknesses include inadequate customer due diligence, missing risk assessments, ineffective transaction monitoring, underdeveloped suspicious transaction reporting, and poor record-keeping. Crypto-native teams often underestimate the importance regulators place on identity verification, audit logs, and ongoing monitoring.

Applications also fail where documentation is insufficient or misaligned with actual practices. The MiCA framework requires detailed submissions covering governance, operational procedures, risk management, and internal controls. Generic or incomplete documentation leads to refusal.

Finally, regulators refuse applications where business models present excessive risks or lack economic viability. Firms that fail to clearly separate regulated and unregulated activities or demonstrate viable economic models with appropriate controls do not pass MiCA assessments.

MiCA sits alongside EU AML and KYC obligations, creating a layered compliance framework for crypto-asset service providers. Where MiCA creates authorisation, governance and conduct obligations for crypto-asset service providers, AMLD5, AMLD6 and the forthcoming AML Regulation impose extensive anti-money laundering and anti-terrorist financing obligations. MiCA specifically incorporates these obligations, requiring authorised CASPs to comply with EU obligations for customer due diligence, transaction monitoring and the reporting of suspicious transactions.

The EU Transfer of Funds Regulation creates travel rule obligations for crypto-asset transfers. CASPs have to collect, verify, transmit and retain information on the originator and beneficiary of a crypto-asset transfer, implement technical standards for the exchange of information between CASP’s, screen transactions for sanctions lists, and the firm has to identify its customers and their risk profiles, apply enhanced due diligence to customers with enhanced risks such as politically exposed persons and report suspicious activity to financial intelligence units.

Effective compliance means effective implementation. Firms are building integrated compliance functions, using common technology platforms that address both MiCA’s operational compliance and AML monitoring, and creating compliance policies that integrate the handling of crypto-asset-related compliance risks with traditional AML compliance obligations. Staff training on the two regimes should be continuous to satisfy regulatory expectations.

Planning an entry into the European market under MiCA requires advanced strategic planning of regulatory, operational and commercial issues. The firm’s jurisdictional choice should consider supervisors’ expertise in regulating crypto-assets, the efficiency of supervisors’ regulatory processes, the culture of the supervisor, and the presence of regulatory precedent for the use of the regulation for other business models.

On an operational level, the firm should evaluate jurisdictions for the availability of crypto-friendly banking relationships, the availability of compliance and technical staff, the availability of staff who speak the same language, and the local ecosystem of firms and advisers with MiCA expertise.

Timing is critical. MiCA’s authorisation process takes 12 to 18 months, and the firm will need to coordinate its licensing with its product development and fundraising activities. The successful firm integrates a compliance structure into its business model from the outset instead of seeking to retrofit the business model with compliance infrastructure, and builds compliance systems that scale with the firm instead of requiring major re-designs as the firm grows.

The firm that secures authorisation early will gain advantages over its competitors in the form of enhanced credibility with banks and institutional partners, passporting rights to all EU markets, and the ability to onboard customers while its competitors are still in the queue for authorisation.

The risks and consequences of operating without a MiCA license are severe. The supervisory authorities can impose administrative sanctions, daily penalties, refusals of applications for authorisation, and bans on the provision of services. Sanctions can amount to many millions of euros, as a fixed sum or as a percentage of the firm’s annual turnover, depending on the nature and duration of the violations.

The authorities can prohibit or suspend the provision of crypto-asset services to EU clients, and impose individual bans on directors or managers responsible for compliance failures. There may also be administrative or even criminal liability for unauthorised activities or misstatements under MiCA and the relevant implementing legislation, which can result in fines and professional disqualification.

The reputational damage from enforcement action is likely to be even worse. Firms operating without a license often lose access to the banking system and payment service providers. Regulated firms are increasingly unwilling to establish a business relationship with unregulated crypto operators. The loss of banking relationships means that there will be no access to fiat currency payment systems - no fiat onboarding, no withdrawals, and no day-to-day business. The EU market will become commercially unviable for any further business activity.